Does the controversial Privacy Shield really “work well”?

WELCOME to Connected Rights, your finger on the pulse of digital rights news and analysis.

PRIVACY SHIELD IS WORKING DESPITE SOME PROBLEMS, according to the European Commission. The executive issued its first annual report on the EU-US data-sharing deal on Wednesday, saying it ensures an “adequate level of protection” for Europeans whose personal data is being transferred to American servers: http://bit.ly/2zxf2Ek

(Quick recap: Privacy Shield is the revamped version of Safe Harbour, which got struck down by the EU’s highest court a couple years back, because it didn’t ensure an adequate level of protection – i.e. in line with European fundamental rights – for Europeans’ personal data. Many aren’t convinced that Privacy Shield is much better than Safe Harbour, because it still doesn’t stop U.S. intelligence from snooping around Europeans’ data if it wants to.)

“Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation,” said justice commissioner Věra Jourová today.

So, what does the Commission want to see improved? It wants the (desperately understaffed) U.S. commerce department to engage in “more proactive and regular monitoring” of the companies that have self-certified on the Privacy Shield register. It wants “more awareness raising” in Europe to tell people how to make complaints, and it wants closer cooperation between privacy enforcers on both sides of the Atlantic.

The Commission also wants the U.S. to appoint a permanent Privacy Shield ombudsperson – an absolutely crucial part of the deal – and to “enshrine” an Obama-era presidential directive that’s supposed to offer more protections to non-Americans.

In other words, most of the stuff that Privacy Shield is supposed to provide as an improvement over Safe Harbour is not functioning properly yet. But everything is fine.

Remember, the Commission is a political beast that came up with and backed Safe Harbour until the bitter end (at which point it claimed it had known it was broken for years). Let’s see what the EU data protection regulators have to say when they give their assessment later this year.

THE US SUPREME COURT HAS TAKEN ON Microsoft’s big email case, in which the software giant is fighting prosecutors who want it to turn over emails stored on its Irish servers: https://usat.ly/2ze9gXr

This is a long-running battle that’s pretty important for establishing the extent of the justice department’s reach. The safety of data stored on US companies’ US servers is already controversial enough (see above), but if they can’t even protect what they’re storing outside the country, the US tech firms could be in even bigger trouble with their international customers and users.

MICROSOFT’S WINDOWS 10 BREAKS European data protection law on multiple counts, according to the Dutch privacy regulator: http://zd.net/2ySc5B4

Specifically (per the authority), Microsoft doesn’t tell users which data it’s collecting and why. Because it uses this data in all sorts of ways, it’s impossible for users to give their valid consent to its collection.

The data at issue here is mostly so-called telemetry data, which helps Microsoft identify and fix bugs. It’s also personal data, though, as it can be linked to identifiable individuals. Microsoft is adamant that it’s not doing anything wrong, but says it is trying to remain compliant with the law.

THE EU’S UPCOMING “EPRIVACY” REGULATION will contain a lot of new rules for online communications providers, and it is unsurprisingly being very heavily lobbied. Corporate Europe Observatory has more on “one of the worst lobby campaigns”: http://bit.ly/2zy38Ki

BRITISH SPIES ARE COLLECTING DATASETS OF SOCIAL MEDIA ACTIVITY and sharing them with foreign partners. Oh, and letting contractors fiddle around with the datasets with no apparent oversight. All this we now know thanks to litigation by Privacy International: http://bit.ly/2iiXBn1

The UK-based privacy organisation is suing the government over its agencies’ collection and use of so-called bulk personal datasets, which was a secret until 2015, when it became known and therefore (in one of history’s most side-eye-worthy rulings) legal. Well, theoretically legal – this surveillance and data-sharing activity is supposed to have oversight and privacy safeguards, and Privacy International asserts that neither are truly in place.

Its lawsuit has already revealed the use of social media datasets, and more may be coming. In particular, the Investigatory Powers Tribunal wants to know how many times the data has been accessed without any useful intelligence purpose being served, how much technical understanding the supposed overseers actually have, and whether there is any auditing of the agencies’ “artificial intelligence techniques”. Do stay tuned!

By the way, Privacy International is also suing the UK authorities over their use of hacking, and it’s crowdfunding the fight. Here’s where you can donate: http://bit.ly/2gP4kBw

Want to support this newsletter? If so, a thousand thanks! Here’s my Patreon page. Many thanks to those who are already contributing, too.

THE PRIVATE MESSAGING APP TELEGRAM has been fined around $14,000 by a Russian court that wants it to offer up the keys to its users’ encrypted communications: http://bit.ly/2xP7Ia7

Telegram is the brainchild of Russia’s answer to Mark Zuckerberg, Pavel Durov. He left the country after offloading his stake in VK, the social network he founded, and is not on great terms with the authorities there. Now he’s promising to fight this order, and is gathering a legal team to do so.

Telegram has often proved controversial, not just because of its encrypted messaging, but also because it offers public channels through which people can broadcast messages – channels that have reportedly been used by terrorists trying to solicit support. It will be interesting to see if the app ends up getting blocked in Russia. It has a lot of fans in the country, allegedly including top Kremlin officials.

WANT TO KNOW MORE ABOUT THE RUSSIAN “TROLL FACTORY” that allegedly influenced last year’s US election? Meduza, an independent Russian outlet, has more: http://bit.ly/2xPnPEH

There are many interesting details in there, but one leaps out – the “Internet Research Agency” hired people (without them knowing) in the US to lead divisive protests. Here’s the Guardian‘s more in-depth article on that: http://bit.ly/2gpEpn8

GOOGLE HAS MADE IT EASIER for people with consumer Gmail accounts to protect themselves against unwanted intrusion. The measures it’s unveiled are intended for “campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety”: http://bit.ly/2zt6JcF

“Campaign staffers preparing for an upcoming election”? Can’t think which (cough #DNCleaks cough) incident they might be referring to there. Anyhow, the “Advanced Protection” measures in question include support for physical security keys to log into accounts, the limiting of account access to specific apps (only Google apps for now), and more steps when trying to recover an account you’ve been locked out of.

Should all these measures be in place for all users? Probably not – they do make the service harder to use, which is why they’re only recommended for people who face an unusually high security threat. Hopefully this level of protection will one day be commonplace due to greater ease of use, but we’re not there yet.

THE US DEPUTY ATTORNEY GENERAL IS TALKING NONSENSE about encryption again and really, I’m too tired to rewrite the same counterarguments I’ve written so many times before, so I’ll leave it to security expert Robert Graham: http://bit.ly/2yScYto

If you’d like me to write articles for you about digital rights issues, speak at your event or provide privacy advice for your business, drop me an email at david@dmeyer.eu.

A TROVE OF MILLIONS OF SOUTH AFRICANS’ PERSONAL DATA has shown up online, including income, company directorships, employment history and property ownership. Where did it come from? According to one report, the data bureau Dracore: http://bit.ly/2ikXyae

SOMEONE HACKED MICROSOFT’S INTERNAL DATABASE OF KNOWN SOFTWARE BUGS in 2013, and the company very naughtily did not tell its customers nor the public: http://reut.rs/2ysNpw2

About the author

I’m David Meyer, a tech journalist with more than a decade’s experience writing about technology. I’ve covered many topics in that time, though I’m most interested in the policy decisions and technological breakthroughs that will shape our world. You can find me on Twitter as @superglaze and on Facebook as @davidmeyerwrites.